[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPsec and Oakley test items

To: "'Daniel Harkins'" <dharkins@cisco.com>
Subject: RE: IPsec and Oakley test items
From: Greg Carter <greg.carter@entrust.com>
Date: Fri, 5 Sep 1997 13:39:58 -0400
Cc: "'anx-sec@dot.netrex.net'" <anx-sec@dot.netrex.net>, "'ipsec@tis.com'" <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

Hi Dan,

Below are a few relevant sections from the latest ISAKMP (unchanged from
previous versions).  I think it is clear that a Notification that is
concerned with a Quick Mode should use the same M-ID as that of the
Quick Mode.  And that it is acceptable to identify in progress Quick
Modes by that M-ID (along with the cookies).  

Using SPI alone to match up in progress Quick Modes is cumbersome,
especially for exchanges which involve multiple SPIs.  If I can key off
the M-ID its much easier to single out the failed negotiation.

Regardless, there is discrepancy between ISAKMP and your proposed
additions to ISAKMP/Oakley.  You can probably figure out which one I
want.

Bye.

Section 2.4 Identifying Security Associations
...
In the fifth line (5) of the table, the initiator and responder use the
Message ID field in the ISAKMP Header to keep track of the in-progress
protocol negotiation.  This is only applicable for a phase 2 exchange
and
the value SHOULD be 0 for a phase 1 exchange because the combined cook-
ies identify the ISAKMP SA.

Section 3.14 Notification Payload
...
Notification which occurs during, or is concerned with, a Phase 2 nego-
tiation is identified by the Initiator and Responder cookie pair in the
ISAKMP Header and the Message ID and SPI associated with the current
nego-
tiation.  One example for this type of notification is to indicate why a
proposal was rejected.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com
Get FREE 128-bit FIPS-140-1 Validated Crypto for the desktop
http://www.entrust.com/solo.htm

>----------
>From: 	Daniel Harkins[SMTP:dharkins@cisco.com]
>Sent: 	Friday, September 05, 1997 12:18 PM
>To: 	Greg Carter
>Cc: 	'anx-sec@dot.netrex.net'; 'isakmp-oakley@cisco.com'; 'ipsec@tis.com'
>Subject: 	Re: IPsec and Oakley test items 
>
>  Greg,
>
>  Yes, the M-ID is only for the informational exchange. If the notify is
>a result of a failed Quick Mode the M-ID of the informational exchange
>will not be that of the failed Quick Mode; they are different. And once
>the message has been sent the unique M-ID (only for the Info exchange) is
>thrown away.
>
>

Follow-Ups:

Re: IPsec and Oakley test items

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: ISAKMP/Oakley resolution draft question
Next by Date: Re: Vendors who are implementing IPSEC, step forward...
Prev by thread: Re: IPsec and Oakley test items
Next by thread: Re: IPsec and Oakley test items
Index(es):
- Main
- Thread